ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-users: Re: [ethereal-users] Linux RedHat 6.2 - no TCP traffic?!

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Mon, 22 May 2000 11:44:03 -0700
On Mon, May 22, 2000 at 01:58:28PM -0400, Dundo wrote:
> Yes, UDP address was different than laptop's IP address.

But was the destination IP address a *unicast* address, as per the
question Gilbert asked:

> >Was the UDP to a unicast (non-broadcast, non-multicast) address that was
> >different than the laptop's NIC's IP address?

I.e., was it to an address other than 255.255.255.255 (or an address the
host part of which was all 1's), or to an address the first byte of
which was 224.

> All traffic that 
> I've created was running between two other machines, not Ethereal machine 
> itself.

I wouldn't describe broadcast traffic and multicast traffic as being
"between two other machines"; I'd describe it as running between one
other machine and *all* machines on the network (broadcast), or between
one other machine and *all* machines in the multicast group (multicast).
This is a key distinction; read on....

> As you, I'm also suspicious about that PCMCIA NIC but I cannot figure out 
> why it's not possible to 'see' only TCP.

If the UDP traffic you saw was all broadcast traffic (which would be
traffic to a MAC address of ff:ff:ff:ff:ff:ff) or multicast traffic
(which I think will have the low-order bit of the high-order byte of the
MAC address set), then, if the card can't go into promiscuous mode, the
reason why it won't see TCP traffic between two other machines on the
network is probably that it can't see traffic between two other machines
on the network (because it can't go into promiscuous mode) - it can only
see traffic received by or sent by the machine to which it's attached,
and that traffic will either be traffic from that machine, traffic to
that machine, or broadcast and multicast traffic that happens to be
received by that machine, and broadcast and multicast traffic won't be
TCP.

(The destination IP address of broadcast IP traffic will probably be
255.255.255.255, and the destination IP address of multicast IP traffic
will probably have 224 as the first byte.)

> If this NIC is not able to run in 
> promiscous mode I presume there would be no traffic visible at all.

Nope.  You'll see traffic that the NIC receives, which includes not only
traffic explicitly sent to the machine to which the NIC is attached, but
*also* includes broadcast traffic and multicast traffic sent to a
multicast group of which that machine happens to be a member.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube